The Hacker News — Cyber Security, Hacking, Technology News

Last year, Uber received an email from an anonymous person demanding money in exchange for the stolen user database.

It turns out that a 20-year-old Florida man, with the help of another, breached Uber's system last year and was paid a huge amount by the company to destroy the data and keep the incident secret.

Just last week, Uber announced that a massive data breach in October 2016 exposed personal data of 57 million customers and drivers and that it paid two hackers $100,000 in ransom to destroy the information.

However, the ride-hailing company did not disclose identities or any information about the hackers or how it paid them.

Now, two unknown sources familiar with the incident have told Reuters that Uber paid a Florida man through HackerOne platform, a service that helps companies to host their bug bounty and vulnerability disclosure program.

So far, the identity of the Florida man was unable to be obtained or another person who helped him carry out the hack.

Notably, HackerOne, who does not manage or plays any role in deciding the rewards on behalf of companies, receives identifying information of the recipient (hackers and researchers) via an IRS W-9 or W-8BEN form before payment of the award can be made.

In other words, some employees at Uber and HackerOne definitely knows the real identity of the hacker, but choose not to pursue the case, as the individual did not appear to pose any future threat to the company.

Moreover, the sources also said that Uber conducted a forensic analysis of the hacker's computer to make sure that all the stolen data had been wiped, and had the hacker also sign a nondisclosure agreement to prevent further wrongdoings.

Reportedly, the Florida man also paid some unknown portion of the received bounty to the second person, who was responsible for helping him obtain credentials from GitHub for access to Uber data stored elsewhere.

Originally occurred in October 2016, the breach exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.

However, other personal details, like trip location history, dates of birth, credit card numbers, bank account numbers, and Social Security numbers, were not accessed in the attack.

Former Uber CEO Travis Kalanick learned of the cyber attack in November 2016 and chose not to involve authorities, believing the company can easily and more effectively negotiate directly with the hackers to limit any harm to its customers.

However, this secret dealing with the hackers eventually cost Uber security executives their jobs for handling the incident.

Now Uber CEO Dara Khosrowshahi has reportedly fired Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the data breach quiet.

"None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.

"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."

Google has finally launched a bug bounty program for Android apps on Google Play Store, inviting security researchers to find and report vulnerabilities in some of the most popular Android apps.

Dubbed "Google Play Security Reward," the bug bounty program offers security researchers to work directly with Android app developers to find and fix vulnerabilities in their apps, for which Google will pay $1000 in rewards.

"The goal of the program is to further improve app security which will benefit developers, Android users, and the entire Google Play ecosystem," the technology giant says in a blog post published today.

Google has collaborated with bug bounty platform, HackerOne, to manage backend for this program, like submitting reports and inviting white-hat hackers and researchers.

White-hat hackers who wish to participate can submit their findings directly to the app developers. Once the security vulnerability has been resolved, the hacker needs to submit his/her bug report to HackerOne.

Google will then pay out a reward of $1,000 based on its Vulnerability Criteria, wherein, according to the company, more criteria may be added in the future, creating more scope for rewards.

"All vulnerabilities must be reported directly to the app developer first. Only submit issues to the Play Security Rewards Program that have already been resolved by the developer." HackerOne said.

"For now, the scope of this program is limited to RCE (remote-code-execution) vulnerabilities and corresponding POCs (Proof-of-concepts) that work on Android 4.4 devices and higher."

It is an unfortunate truth that even after so many efforts by Google, malicious apps continuously somehow managed to fool its Play Store's security mechanism and infect millions of Android users.

It's notable that Google Play Security Reward program does not include finding and reporting fake, adware or malware apps available on Google play store, so the program will not affect the increase in malicious apps on Google's app platform.

For now, a limited number of Android apps have been added to Google Play Security Reward Program, including Alibaba, Snapchat, Duolingo, Line, Dropbox, Headspace, Mail.ru and Tinder.

So what you are waiting for?

Roll up your sleeves and start hunting for vulnerabilities. For more details about Google Play Security Reward Program, visit HackerOne.

With the growing number of cyber attacks and data breaches, a number of tech companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Samsung is the latest in the list of tech companies to launch a bug bounty program, announcing that the South Korean electronics giant will offer rewards of up to $200,000 to anyone who discovers vulnerabilities in its mobile devices and associated software.

Dubbed Mobile Security Rewards Program, the newly-launched bug bounty program will cover 38 Samsung mobile devices released from 2016 onwards which currently receive monthly or quarterly security updates from the company.

So, if you want to take part in the Samsung Mobile Security Rewards Program, you have these devices as your target—the Galaxy S, Galaxy Note, Galaxy A, Galaxy J, and the Galaxy Tab series, as well as Samsung's flagship devices, the S8, S8+, and Note 8.

"We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program for eligible security vulnerability reports," the company explains on its bug bounty website.

"We look forward to your continued interests and participations in our Samsung Mobile Security Rewards Program. Through this rewards program, we hope to build and maintain valuable relationships with researchers who coordinate disclosure of security issues with Samsung Mobile."

Not just mobile devices, the tech giant's Mobile Services suite is also part of its bug bounty program, which will also cover apps and services such as Bixby, Samsung Account, Samsung Pay, Samsung Pass, among others.

For the eligibility of a reward, researchers and bug hunters need to provide a valid proof-of-concept (PoC) exploit that can compromise a Samsung handset without requiring any physical connection or third-party application.

The company will evaluate the reward depending on the severity level of the vulnerability (Critical, High, Moderate, and Low) and its impact on devices. The least reward is $200, which is for low-severity flaws, while the highest reward is $200,000, which is for critical bugs.

The Higher reward will be offered for bugs that lead to trusted execution environment (TEE) or Bootloader compromise. The level of severity will be determined by Samsung.

Following the path of major tech companies, the non-profit group behind Tor Project recently joined hands with HackerOne to launch its own bug bounty program, with the highest payout for the flaws has been kept $4,000.

So, what you are waiting for? Hunt for bugs in Samsung products and submit your findings to the company via the Security Reporting page.

Microsoft has finally launched a new dedicated bug bounty program to encourage security researchers and bug hunters for finding and responsibly reporting vulnerabilities in its latest Windows versions of operating systems and software.

Being the favourite target of hackers and cyber criminals, every single zero-day vulnerability in Windows OS—from critical remote code execution, mitigation bypass and elevation of privilege to design flaws—could cause a crisis like recent WannaCry and Petya Ransomware attacks.

In past five years the tech giant has launched multiple time-limited bug bounty programs focused on various Windows features, and after seeing quite a bit of success, Microsoft has decided to continue.

"Security is always changing, and we prioritise different types of vulnerabilities at different points in time. Microsoft strongly believes in the value of the bug bounties, and we trust that it serves to enhance our security capabilities."

With its latest bug bounty program, Microsoft is offering up to $250,000 in rewards to cybersecurity researchers and bug hunters who find vulnerabilities in the company's software, which mainly focuses on:

Windows 10, Windows Server 2012 and Insider Previews

Microsoft Hyper-V

Mitigation Bypass Techniques

Windows Defender Application Guard

Microsoft Edge Browser

Below is the chart showing details of the targets, main focus areas and the respective payouts:

"In the spirit of maintaining a high-security bar in Windows, we’re launching the Windows Bounty Program on July 26, 2017," Microsoft says in a blog post. "The bounty program is sustained and will continue indefinitely at Microsoft’s discretion."

Recently, the non-profit group behind Tor Project joined hands with HackerOne and launched a bug bounty program with the payout of up to $4,000 to researchers and bug hunters for finding and reporting flaws that could compromise the anonymity network.

For more granular details about Microsoft's Bug Bounty Program, you can check out the program on the TechNet site.

With the growing number of cyber attacks and breaches, a significant number of companies and organisations have started Bug Bounty programs for encouraging hackers, bug hunters and researchers to find and responsibly report bugs in their services and get rewarded.

Following major companies and organisations, the non-profit group behind Tor Project – the largest online anonymity network that allows people to hide their real identity online – has finally launched a "Bug Bounty Program."

The Tor Project announced on Thursday that it joined hands with HackerOne to start a public bug bounty program to encourage hackers and security researchers to find and privately report vulnerabilities that could compromise the anonymity network.

HackerOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.

Bug bounty programs are cash rewards gave by companies or organisations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose them.

The Tor Project announced its intention to launch a public bug bounty program in late December 2015 during a talk by the Tor Project at Chaos Communication Congress (CCC) held in Hamburg, Germany. However, it launched the invite-only bounty program last year.

The highest payout for the flaws has been kept $4,000 — bug hunters can earn between $2,000 and $4,000 for High severity vulnerabilities, between $500 and $2,000 for Medium severity vulnerabilities, and a minimum of $100 for Low severity bugs.

Moreover, less severe issues will be rewarded with a t-shirt, stickers and a mention in Tor's hall of fame.

"Tor users around the globe, including human rights defenders, activists, lawyers, and researchers, rely on the safety and security of our software to be anonymous online," Tor browser developer Georg Koppen said in a blog post. "Help us protect them and keep them safe from surveillance, tracking, and attacks."

The Tor Project is a non-profit organisation behind the Tor anonymizing network that allows any online user to browse the Internet without the fear of being tracked.

The Project first announced its plan to launch the bug bounty program weeks after it accused the FBI of paying the researchers of Carnegie Mellon University (CMU) at least $1 Million to help them Unmask Tor users and reveal their IP addresses, though FBI denies the claims.

After the discovery of a critical vulnerability that could have allowed hackers to view private Yahoo Mail images, Yahoo retired the image-processing library ImageMagick.

ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. The tool is supported by PHP, Python, Ruby, Perl, C++, and many other programming languages.

This popular image-processing library made headline last year with the discovery of the then-zero-day vulnerability, dubbed ImageTragick, which allowed hackers to execute malicious code on a Web server by uploading a maliciously-crafted image.

Now, just last week, security researcher Chris Evans demonstrated an 18-byte exploit to the public that could be used to cause Yahoo servers to leak other users' private Yahoo! Mail image attachments.

'Yahoobleed' Bug Leaks Images From Server Memory

The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed "Yahoobleed #1" (YB1) because the flaw caused the service to bleed contents stored in server memory.

To exploit the vulnerability, all an attacker need to do is create a maliciously crafted RLE image, and send it to the victim's email address, and then create a loop of empty RLE protocol commands, prompting the leakage of information.

To show how it is possible to compromise a Yahoo email account, Evans, as a proof-of-concept (PoC) demonstration, created a malicious image containing 18-byte exploit code and emailed it as an email attachment to himself.

Once the attachment reached the Yahoo's email servers, ImageMagick processed the image to generate thumbnails and previews, but due to the execution of Evans' exploit code, the library generated a corrupt image preview for the image attachment.

Once this image attachment is clicked, it launched the image preview pane, causing the service to display portions of images that were still present in the server's memory, instead of the original image.

"The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content," Evans said.

Unlike Heartbleed and Cloudbleed that were due to out-of-bounds server side memory content leaks, Evans said Yahoobleed makes use of uninitialized or previously freed, memory content.

"The previous bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory," Evans said. "An uninitialized image decode buffer is used as the basis for an image rendered back to the client."

"This leaks server-side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks."

Yahoo Retires 'Buggy' ImageMagick Library

After Evans had submitted his 18-byte exploit code to Yahoo, the company decided to retire the ImageMagick library altogether, rather than fixing the issue.

Evans also warned of another version of Yahoobleed, dubbed Yahoobleed2, which was the due to Yahoo's failure to install a critical patch released in January 2015. He said the flaws combined could allow attackers to obtain browser cookies, authentication tokens, and private images belonging to Yahoo Mail users.

Evans was awarded a bug bounty payment of $14,000 -- $778 per byte for his exploit code -- by the tech giant, who decided to double the bounty to $28,000 after knowing Evans intention to donated his reward to a charity.

After Yahoo has been aware of the issue, Evans reported the vulnerability to the ImageMagick team, who released ImageMagick version 7.0.5-1 two months ago with a fix for the issue.

So, Other widely used Web services using the ImageMagick library are likely still vulnerable to the bug and are advised to apply the patches as soon as possible.

With the growing number of data breaches and cyber attacks, a significant number of companies and organizations have started Bug Bounty programs for encouraging hackers and bug hunters to find and responsibly report vulnerabilities in their services and get rewarded.

Now, following the success of the "Hack the Pentagon" and "Hack the Army" initiatives, the United States Department of Defense (DoD) has announced the launch of the "Hack the Air Force" bug bounty program.

Hacking or breaking into Defense Department networks was illegal once, but after "Hack the Pentagon" initiative, the DoD started rewarding outsiders to finding and reporting weaknesses in its private networks.

"This is the first time the AF [Air Force] has opened up...networks to such a broad scrutiny," Peter Kim, the Air Force Chief Information Security Officer said in a statement. "We have malicious hackers trying to get into our systems every day."

"It'll be nice to have friendly hackers taking a shot and, most importantly, showing us how to improve our cyber security and defense posture. The additional participation from our partner nations greatly widens the variety of experience available to find additional unique vulnerabilities."

The "Hack the Air Force" program is directed by HackerOne, the bug bounty startup that was behind Hack the Pentagon, and Luta Security, the security consulting company driving the U.K. program.

Hackers From The Five Eyes Nations Are Invited

This program will be the DoD's largest bug bounty project as it invites experts and white hat hackers not only from the United States, but also from remaining Five Eyes countries: the United Kingdom, Canada, Australia and New Zealand.

So, only Hackers and bug hunters from the Five Eyes intelligence alliance are eligible to participate in Hack the Air Force.

"This outside approach – drawing on the talent and expertise of our citizens and partner nation citizens – in identifying our security vulnerabilities will help bolster our cyber security," said Air Force Chief of Staff Gen. David L. Goldfein.

"We already aggressively conduct exercises and 'red team' our public facing and critical websites. But this next step throws open the doors and brings additional talent onto our cyber team."

Only Vetted Hackers Can Participate

Only "Vetted Hackers" can participate in Hack the Air Force program, which means the candidates must pass a rigorous background test after registration and have a clean criminal record in order to participate in the program.

However, according to some critics, this process excludes many talented hackers and bug hunters, but this is one of the common conditions across all of the Pentagon's bug bounty programs.

Registration for "Hack the Air Force" will start on May 15 and interested participants should register through HackerOne. The contest will launch on May 30 and last until June 23.

The first DoD bug bounty program, "Hack the Pentagon," came in April 2016, in which over 14,000 participating hackers found 138 vulnerabilities in DoD systems and were awarded over $75,000 in bounties.

Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack the Air Force is also an exercise for the federal authorities to boost up their security measures and counter the cyber attacks.

Both tech giants Google and Microsoft have raised the value of the payouts they offer security researchers, white hat hackers and bug hunters who find high severity flaws in their products.

While Microsoft has just doubled its top reward from $15,000 to $30,000, Google has raised its high reward from $20,000 to $31,337, which is a 50 percent rise plus a bonus $1,337 or 'leet' award.

In past few years, every major company, from Apple to P*rnHub and Netgear, had started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get rewarded.

But since more and more bug hunters participating in bug bounty programs at every big tech company, common and easy-to-spot bugs are hardly left now, and if any, they hardly make any severe impact.

Sophisticated and remotely exploitable vulnerabilities are a thing now, which takes more time and effort than ever to discover.

So, it was needed to encourage researchers in helping companies find high-severity vulnerabilities that have become harder to identify.

Until now, Google offered $20,000 for remote code execution (RCE) flaws and $10,000 for an unrestricted file system or database access bugs. But these rewards have now been increased to $31,337 and $13,337, respectively.

Types of vulnerabilities in the unrestricted file system or database access category that can earn you up to $13,337 if they affect highly sensitive services include unsandboxed XML eXternal Entity (XXE) and SQL injection bugs.

Since the launch of its bug bounty program in 2010, Google has paid out over $9 Million, including $3 Million awarded last year.

Netgear launched on Thursday a bug bounty program to offer up to $15,000 in rewards to hackers who will find security flaws in its products.

Since criminals have taken aim at a rapidly growing threat surface created by millions of new Internet of things (IoT) devices, it has become crucial to protect routers that contain the keys to the kingdom that connects the outside world to the IP networks that run these connected devices.

To combat this issue, Netgear, one of the biggest networking equipment providers in the world, has launched a bug bounty program focusing on its products, particularly routers, wireless security cameras and mesh Wi-Fi systems.

Bug bounty programs are cash rewards given by companies or organizations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose for the patch release.

Bug bounties are designed to encourage security researchers, hackers and enthusiasts to responsibly report the vulnerabilities they discovered, rather than selling or exploiting it.

On Thursday, Netgear announced that the company has partnered up with Bugcrowd to launch Netgear Responsible Disclosure Program that can earn researchers cash rewards ranging from $150 to $15,000 for finding and responsibly reporting security vulnerabilities in its hardware, APIs, and the mobile apps.

Meanwhile, on the same day, The Federal Trade Commission (FTC) filed a lawsuit against D-Link, another large networking equipment providers, arguing that the company failed to implement necessary security protection in its routers and Internet-connected security cameras that left "thousands of consumers at risk" to hacking attacks.

If you are a bug bounty hunter, you should read all terms and conditions before shooting your exploits against Netgear products or website.

One of them explicitly mentioned, "You may only exploit, investigate, or target security bugs against your own accounts and/or your own devices. Testing must not violate any law, or disrupt or compromise any data or access data that is not yours; intentional access of customer data other than your own is prohibited."

The company is paying out up to $15,000 for each vulnerability. The highest bounty will be given for the flaws that would allow access to the cloud storage video files or live video feeds of all its customers, and bugs that allow remote access to routers from the Internet, as shown in the chart above.

However, the Netgear will also pay $10,000 for video feed and cloud storage access bugs that cannot be exploited in mass attacks. The same payout will also be given for security issues that provide access to the payment card data of all Netgear customers.

There's one more thing Apple should be worried about: While Apple’s bug bounty program is invitation-only, at least for the time being, anyone can register on Exodus’s website and participate in the program to submit vulnerabilities.

Two computer hackers have earned more than 1 Million frequent-flyer miles each from United Airlines for finding and reporting multiple security vulnerabilities in the Airline's website.

Olivier Beg, a 19-year-old security researcher from the Netherlands, has earned 1 Million air miles from United Airlines for finding around 20 security vulnerabilities in the software systems of the airline.

Last year, Chicago-based 'United Airlines' launched a bug bounty program to invite security researchers and bug hunters for finding and reporting security holes in its websites, software, apps and web portals.

Under its bounty program, United Airlines offers a top reward of 1 Million flyer miles for reporting Remote Code Execution (RCE) flaws; 250,000 miles for medium-severity vulnerabilities, and 50,000 flyer miles for low-severity bugs.

According to Netherlands Broadcasting Foundation, the 19-year-old reported 20 security issues to United Airlines and the most severe flaw earned the teenager 250,000 air miles.

Beg did not reveal the details about the flaws he discovered, but the teenager claims to have reported flaws in software from popular tech companies including Yahoo, Google, and Facebook.

Another 23-years-old security researcher from Algeria reported three security issues under the airline's bug bounty program and earned 1.7 Million flyer miles from the United Airlines.

Djaballah Mohamed Taher told The Hacker News that he reported Remote Code Execution, authorization bypass and Cross Site Scripting (XSS) flaws to the airline but did not detail the technical aspects given the program's non-disclosure agreement.

Last year, Jordan Wiens was the first security researcher to earn United Airlines' top reward of 1 Million Miles for finding a security bug that allowed him to seize control of one of the airline's websites.

Bug bounty programs are very common among technology firms, including Google, Microsoft, and Facebook, who offer security researchers hundreds of thousands of dollars as rewards for exposing security weaknesses in their products.

Although, it’s good to see companies like United Airlines, Tesla, General Motors, Fiat Chrysler, welcoming vulnerability reports from researchers and rewarding them for their work.

Apple is the latest to announce the bug bounty program starting this fall to pay outside security researchers and white hat hackers for privately disclosing security issues in its products.

The company plans to offer rewards of up to $200,000, though the scope of its program has initially been kept invitation-only targeting a small range of Apple software including iOS and iCloud.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

So finally, Apple will pay you for your efforts of finding bugs in its products.

While major technology companies, including Microsoft, Facebook and Google, have launched bug bounty programs over last few years to reward researchers and hackers who report vulnerabilities in their products, Apple remained a holdout.

But, not now.

On Thursday, Apple announced at the Black Hat security conference that the company would be launching a bug bounty program starting this fall to pay outside security researchers and white hat hackers privately disclose security flaws in the company's products.

How much is a vulnerability in Apple software worth? Any Guesses?

It's up to $200,000.

Head of Apple security team, Ivan Krstic, said the company plans to offer rewards of up to $200,000 (£152,433) to researchers who report critical security vulnerabilities in certain Apple software.

While that's certainly a sizable bounty reward — one of the highest rewards offered in corporate bug bounty programs.

Apple Bug Bounty Program — Invite Only, For Now

Well, for now, Apple is intentionally keeping the scope of its bug bounty program small by launching the program as invitation-only that will be open only to limited security researchers who have previously made valuable bug disclosures to Apple.

The company will slowly expand the bug bounty program.

Launching in September, the program will offer bounties for a small range of iOS and iCloud flaws.

Here's the full list of risk and reward:

Flaws in secure boot firmware components: Up to $200,000.

Flaws that could allow extraction of confidential data protected by the Secure Enclave: Up to $100,000.

Vulnerabilities that allow executions of malicious or arbitrary code with kernel privileges: Up to $50,000.

Access from a sandboxed process to user data outside of that sandbox: Up to $25,000.

For the eligibility of a reward, researchers will need to provide a proof-of-concept (POC) on the latest iOS and hardware with the clarity of the bug report, the novelty of the bounty problem and the possibility of user exposure, and the degree of user interaction necessary to exploit the flaw.

Decision Comes in the Wake of the FBI Scandal

Earlier this year, Apple fought a much-publicized battle with the FBI over a court order to access the locked San Bernardino shooter's iPhone.

P*rnHub launched its bug bounty program two months ago to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.

Now, it turns out that the world's most popular p*rn*graphy site has paid its first bounty payout. But how much?

US $20,000!

Yes, P*rnHub has paid $20,000 bug bounty to a team of three researchers, who gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers P*rnHub's website.

The team of three researchers, Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide), discovered two use-after-free vulnerabilities (CVE-2016-5771/CVE-2016-5773) in PHP's garbage collection algorithm when it interacts with other PHP objects.

One of those is PHP's unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:

http://www.P*rnH*b.com/album_upload/create

http://www.P*rnH*b.com/uploading/photo

This zero-day flaw let the researchers reveal the address of the server's POST data, allowing them to craft a malicious payload and thereby executing rogue code on P*rnHub's server.

The hack was complicated and required a massive amount of work that granted a "nice view of P*rnHub’s /etc/passwd file," allowing the team to execute commands and make PHP run malicious syscalls.

The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue.

The hack could have allowed the team to drop all P*rnHub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.

P*rnHub paid the team $20,000 for their incredible efforts, and the Internet Bug Bounty HackerOne also awarded the researchers an additional $2,000 for discovering the PHP zero-days.

The sophisticated hack on P*rnHub's servers that allowed the team to gain full access to the entire P*rnHub database has been explained in two highly detailed blog posts. You can head on to them for technicalities of this attack.

Vine is a short-form video sharing service where people can share 6-second-long looping video clips. Twitter acquired the service in October 2012.

Indian Bug bounty hunter Avinash discovered a loophole in Vine that allowed him to download a Docker image containing complete source code of Vine without any hassle.

Launched in June 2014, Docker is a new open-source container technology that makes it possible to get more apps running on the same old servers and also very easy to package and ship programs. Nowadays, companies are adopting Docker at a remarkable rate.

However, the Docker images used by the Vine, which was supposed to be private, but actually was available publically online.

While searching for the vulnerabilities in Vine, Avinash used Censys.io – an all new Hacker’s Search Engine similar to Shodan – that daily scans the whole Internet for all the vulnerable devices.

Using Censys, Avinash found over 80 docker images, but he specifically downloaded 'vinewww', due to the fact that the naming convention of this image resembles www folder, which is generally used for the website on a web server.

After the download was complete, he ran the docker image vinewww, and Bingo!

The bug hunter was able to see the entire source code of Vine, its API keys as well as third-party keys and secrets. "Even running the image without any parameter, was letting me host a replica of VINE locally," He wrote.

The 23-year-old reported this blunder and demonstrated full exploitation to Twitter on 31 March and the company rewarded him with $10,080 Bounty award and fixed the issue within 5 minutes.

Avinash has been an active bug bounty hunter since 2015 and until now has reported 19 vulnerabilities to Twitter.

With the growing number of cyber attacks and data breaches, a significant number of companies and organizations have started Bug Bounty Programs to encourage hackers and security researchers to find and responsibly report bugs in their services and get a reward.

Now, even pornography sites are starting to embrace bug bounty practices in order to safeguard its user's security.

The world's most popular pornography site PornHub has launched a bug bounty program for security researchers and bug hunters who can find and report security vulnerabilities in its website.

Partnered with HackerOne, PornHub is offering to pay independent security researchers and bug hunters between $50 and $25,000, depending upon the impact of vulnerabilities they find.

HackeOne is a bug bounty startup that operates bug bounty programs for companies including Yahoo, Twitter, Slack, Dropbox, Uber, General Motors – and even the United States Department of Defense for Hack the Pentagon initiative.

"Like other major tech players have been doing as of late, we’re tapping some of the most talented security researchers as a proactive and precautionary measure – in addition to our dedicated developer and security teams – to ensure not only the security of our site but that of our users, which is paramount to us," said PornHub Vice President Corey Price.

"The brand new program provides some of our developer-savvy fans a chance to earn some extra cash – upwards to $25K – and the opportunity to be included in helping to protect and enhance the site for our 60 Million daily visitors."

How to Earn $25,000 Reward

To qualify for a bounty reward, security researchers and bug hunters must meet the following requirements:

Be the first to report a security bug directly related to the company infrastructure.

Send a description of your bug report, explaining the type of vulnerability and how it works.

Include screenshots and proof of concept code to substantiate your claim.

Disclose your finding directly and exclusively with Pornhub.

The company is currently considering serious flaws that could compromise its server and entire website.

Yes, you could earn $100,000 if you have the hacking skills and love to play with electronics and gadgets.

Google has doubled its top bug bounty for hackers who can crack its Chromebook or Chromebox machine over the Web.

So if you want to get a big fat check from Google, you must have the ability to hack a Chromebook remotely, that means your exploit must be delivered via a Web page.

How to Earn $100,000 from Google

The Chrome security team announced Monday that the top Prize for hacking Chromebook remotely has now been increased from $50,000 at $100,000 after nobody managed to successfully hack its Chromebook laptops last year.

The Top bug bounty will be payable to the first person – the one who executes a 'persistent compromise' of the Chromebook while the machine is in Guest Mode.

In other words, the hacker must be able to compromise the Chromebook when the machine is in a locked-down state to ensure its user privacy.

Moreover, the hack must still work even when the system is reset.

"Last year we introduced $50,000 rewards for the persistent compromise of a Chromebook in guest mode," the Google Security Blog reads."Since we introduced the $50,000 reward, we have not had a successful submission. Great research deserves great awards, so we're putting up a standing [6-figure] sum, available all year round with no quotas and no maximum reward pool."

Bug bounties have become an essential part of information security and have been offered by major Silicon Valley companies to hackers and security researchers who discover vulnerabilities in their products or services.

Last year, Google paid out more than $2,000,000 in bug bounties overall to hackers and researchers who found bugs across its services – including $12,000 to Sanmay Ved, an Amazon employee, who managed to buy Google.com domain.

Facebook pays Millions of dollars every year to researchers and white hat hackers from all around the world to stamp out security holes in its products and infrastructure under its Bug Bounty Program.

Facebook recognizes and rewards bug hunters to encourage more people to help the company keep Facebook users safe and secure from outside entities, malicious hackers or others.

Recently, the social media giant revealed that India is on top of all countries to report the maximum number of vulnerabilities or security holes in the Facebook platform as well as holds the top position in the country receiving the most bug bounties paid.

"India is home to the largest population of security researchers participating in the Facebook bug bounty program since its inception in 2011. The country also holds the top spot for most bounties paid," Adam Ruddermann, Facebook’s technical program manager notes.

If you are one of the Facebook’s bug hunters, you might be aware of the fact that reporting same type of flaw (say, Cross-site Scripting or XSS) in Facebook would not make one eligible for the same bounty.

Do you ever wondered why? And How Facebook decides the Bounty amount?

Well, the procedure exactly works in the same way The Hacker News team decides which news to be covered first and which is not at all i.e. based on the risks to the end-users.

Recently, Facebook’s bug bounty team explained how they calculate bounties.

How Facebook Calculates Bug Bounties?

The bugs that allow someone to access private Facebook data, delete Facebook data, modify an account and run JavaScript under facebook.com are considered as high-impact vulnerabilities that directly affects end users, so are maximum paid bugs.

"The security community in India is strong and growing every day," Facebook says. "India has long topped the list of 127 countries whose researchers contribute to our bug bounty program."

Here’s the Procedure Facebook Security team follows:

Step 1: The Facebook Bug Bounty team first looks at the potential impact of a vulnerability reported.

Step 2: Engineers at Facebook then calculates the difficulty or easiness of exploiting a particular vulnerability, whether it’s high-severity, as well as the kind of resources or technical skills a successful attack would require.

Step 3: The team then looks at whether any existing features can already mitigate the issue, for example, an implementation of rate-limiting mechanism to prevent brute-force attacks.

Step 4: Sometimes bug hunters report bugs that are actually Facebook features designed to provide users a better experience on the social media platform. These reports are less considered as eligible until they pose any threat.

Based upon the aforementioned steps, Facebook decides a base payout for each eligible vulnerability report.

The bounty amount can change as the risk landscape evolves, like a bug that leads to more bugs get bigger payouts.

The team also reserves an option to award security researchers and white hat hackers more than the base amount if the report itself demonstrates a high level of clarity, sophistication, and detail.

Example — Bug Bounties Paid by Facebook

Earlier this month, Anand Prakash, 22, of India was awarded $15,000 (roughly Rs. 10 Lakhs) for reporting a Password Reset Vulnerability that could allow attackers to hack any Facebook account by resetting its password via endless brute force of a 6-digit code.

Unfortunately, Khalil did not receive any bounty for not following the disclosure guidelines correctly and failed to clarify the vulnerability details to Facebook Security Team.

Do you want to know how to earn high bounties? Find and Report high-severity bugs.

"The most important factor for getting the maximum bounty possible is to focus on high-risk vulnerabilities, specifically those with widespread impact," Facebook says. "So, if you're looking to maximize your bounties, focus on quality over quantity."

Bug Bounty programs have widely been used by a large number of prominent technology companies including Google, Facebook and PayPal, for which Bug hunters play a vital role in security their users’ online accounts.

Bug bounties and disclosure programs encourage researchers and hackers to report responsibly vulnerabilities to the affected companies rather than exploiting them to compromise its users’ security, which may also affect company's reputation.

Hacking Facebook account is one of the major queries of the Internet user today. It's hard to find — how to hack Facebook account, but an Indian hacker just did it.

A security researcher discovered a 'simple vulnerability' in the social network that allowed him to easily hack into any Facebook account, view message conversations, post anything, view payment card details and do whatever the real account holder can.

Facebook bounty hunter Anand Prakash from India recently discovered a Password Reset Vulnerability, a simple yet critical vulnerability that could have given an attacker endless opportunities to brute force a 6-digit code and reset any account's password.

Here's How the Flaw Works

Facebook lets users change their account password through Password Reset procedure by confirming their Facebook account with a 6-digit code received via email or text message.

To ensure the genuinity of the user, Facebook allows the account holder to try up to a dozen codes before the account confirmation code is blocked due to the brute force protection that limits a large number of attempts.

However, Prakash discovered that the social media giant had not implemented rate-limiting in its password reset process on the beta sites, beta.facebook.com and mbasic.beta.facebook.com, according to a blog post published by Prakash.

Prakash tried to brute force the 6-digit code on the Facebook beta pages in the 'Forgot Password' window and discovered that there is no limit set by Facebook on the number of attempts for beta pages.

Video Demonstration

Prakash has also provided a proof-of-concept (POC) video demonstration that shows the attack in work. You can watch the video given below that will walk you through the entire procedure:

Here's the culprit:

As Prakash explained, the vulnerable POST request in the beta pages is:

lsd=AVoywo13&n=XXXXX

Brute forcing the 'n' successfully allowed Prakash to launch a brute force attack into any Facebook account by setting a new password, taking complete control of any account.

Prakash (@sehacure) discovered the vulnerability in February and reported it to Facebook on February 22. The social network fixed the issue the next day and had paid him $15,000 as a reward considering the severity and impact of the vulnerability.

Update: 'Hack The Pentagon' has opened registration for its pilot bug bounty program of $150,000 for hackers in return for the vulnerabilities they find in its public facing websites.

The Defense Department has enlisted the bug bounty startup HackerOne to manage the pilot program.

Interested hackers can Register Now to participate in the Bug Bounty program.

The United States Department of Defense (DoD) has the plan to boost their internal and network security by announcing what it calls "the first cyber Bug Bounty Program in the history of the federal government," officially inviting hackers to take up the challenge.

Dubbed "Hack the Pentagon," the bug bounty program invites the hackers and security researchers only from the United States to target its networks as well as the public faced websites which are registered under DoD.

The bug bounty program will begin in April 2016, and the participants could win money (cash rewards) as well as recognition for their work, DoD says.

While announcing 'Hack the Pentagon' initiative during a conference, DoD said only "Vetted Hackers" can participate in the Bug Bounty program, which means the candidates need to undergo a Background Check after registration and before finding vulnerabilities in its systems.

Moreover, candidates would be given a Predetermined Department Systems (might be real system alike) for a specific time period of the competition to access it.

So, don't be confuse that the DoD will serve a critical piece of its infrastructure to hackers for disruption, rather the hackers will be allowed to target a predetermined system that is not part of its critical operations.

However, the Department of Defense has not yet confirmed what bounty would be provided to hackers upon a successful penetration of its network or web pages.

Why DoD launches a Bug Bounty program?

Department of Defence currently manages 488 websites related to everything from the 111th Attack Wing, several military units to Yellow Ribbon Reintegration Program.

According to Chris Lynch, Director of Defense Digital Service that’s actually behind the "Hack the Pentagon" initiative:

"Bringing in the best talent, technology and processes from the private sector not only helps us deliver comprehensive, more secure solutions to the DoD, but it also helps us better protect our country."

But, Here's the Actual Reason You Need to Know:

The hackers, foreign and internal criminals, are actively targeting government departments and critical infrastructure that could reveal national secrets.

Just last month, an unknown hacker released personal details of at least 20,000 Federal Bureau of Investigation (FBI) agents and 9,000 Department of Homeland Security (DHS) officers.

Almost three years ago, the Pentagon said the Chinese government had conducted cyber attacks on the several United States diplomatic, economic as well as defense industry networks.

Therefore, the real purpose of launching dedicated bug bounty program for hackers could be a government initiative to identify vulnerabilities in its infrastructure that may expose any endangered state secrets.

Just like Bug Bounty programs offered by several Frontliners in the technology industry, Hack The Pentagon would also be an exercise for the federal authorities to boost up the security measures and counter the cyber attacks.

Instead of usual self-conducting Security Audit by the DoD internals itself, the new initiative would provide an opportunity for the fresh brains outside the Pentagon to challenge DoD infrastructure and enhance the security measures.

The non-profit organization behind TOR – the largest online anonymity network that allows people to hide their real identity online – will soon be launching a "Bug Bounty Program" for researchers who find loopholes in Tor apps.

The bounty program was announced during the recurring 'State of the Onion' talk by Tor Project at Chaos Communication Congress held in Hamburg, Germany.

Bug bounty programs are cash rewards gave by companies or organizations to white hat hackers and researchers who hunt for serious security vulnerabilities in their website or products and then responsibly disclose them.

Bug bounties are designed to encourage security researchers and hackers to responsibly report the vulnerabilities they discovered, rather than exploiting it.

Here's what one of the founders of the Tor Project,Nick Mathewson, said about the bug bounty program as reported by Motherboard:

"We are grateful to the people who have looked at our code over the years, but the only way to continue to improve is to get more people involved...This program will encourage people to look at our code, find flaws in it, and help us to improve it."

The bug bounty program will start in the new year.

The Tor Project is following in the footsteps of a number of major technology companies, such as Facebook, Google, Paypal, and Mozilla, which offer bug bounties in thousands of Dollars.